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ABSTRACT 



Encrypting/decrypting conversion tncthod and apparatus 
capable of controlling dynamically cyclic shift independent 
of data to undergo encrypting/decrypting conversion 
includes two or more different fixed circulating shift pro- 
cessing means for shifting cyclically the data by a fixed bit 
number leftward or rightward, a cyclic shift processing 
selecting means for selecting fixed cyclic shift processing 
means. The selecting sequence determined by the cyclic 
shift processing means is determined on the basis of data for 
determining the shift number selecting sequence. 

21 Claims, 17 Drawing Sheets 




03/10/2004, EAST Version: 1,4.1 



U.S. Patent Aug. 12, 2003 sheet 1 of 17 



US 6,606,385 Bl 



FIG. 1 



WORK KEYS 



102' 
103- 



104- 



KA : 32 BITS 



KB : 32 BITS 



WORK KEY 



KG : 32 BITS 



PLAIN-TEXT 



C : 64 BITS 



ENCRYPTION 
UNIT 



ENCRYPTED 
TEXT 



M: 64 BITS 



'101 



'106 



'105 



FIG. 3 



F (L(N],K.G) ^ 




LlN+11 



03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug, 12, 2003 Sheet 2 of 17 US 6,606,385 Bl 




03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug. 12, 2003 Sheet 3 of 17 

FIG. 4 



us 6,606^85 Bl 



G1,G2.Q3 


CYCUC SHIFT 
NUMBERS 


00 


2 


01 


8 


10 


14 



FIG. 5 

KB KA 



G.G2.G3. 



606 

I 



1 



612 



£ 



\ MUX / ^604 
f 



+1- 



ADD 



605 



r 



</ MUX \ 



MNl RINl 



REG 



1 



602 - A MUX 

1 I 

603""^-^ ] REG 



608 



r 



MUX 



r 



609 



r 



RL2 




RL8 




RL14 




REG 



610' 



611 



r 



R[N+1] 



03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug. 12, 2003 Sheet 4 of 17 US 6,606,385 Bl 



FIG. 6 



32-BIT OUTPUT 32-BIT OUTPUT 




32-BIT OUTPUT 32-BIT OUTPUT 

LEFTWARD 2-BIT LEFTWARD 8-BIT 

CYCLIC SHIFTER CYCUC SHIFTER 



FIG. 8 



PI 


P2 


INTERNAL STATUS 


0 


0 


00 


0 


1 


01 


1 


0 


02 


1 


1 


QO 



03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug. 12, 2003 Sheet 5 of 17 US 6,606,385 Bl 



32 BITS 



KG{3N-1> 



£ 



RL2 



FIG. 7 

608 



7^ 



609 



RL8 



610 



RL14 



PO (INPUT) 



LOAD 



SYNCHRONIZING 
SIGNAL 



MUX 



32 BITS 



G,G2,G3 



701 





^NPLTT/OUTPUT 




( QO ) 


0/10 y 


^ / \\pA)0 
/lAX) \ \ 


( Q2 


\ 1/10 ^/ \ 


) V ) 




oA)i \ y 


CYCUC SHIFT NUMBER 
GENERATING aRCUIT 



03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug. 12, 2003 sheet 6 of 17 US 6,606,385 Bl 



FIG. 9 



P2 



PI 



LOAD 



SYNCRONIZING 
SIGNAL 



PO 




PR 



J Q 



K 



mo 



fCLR 



Vcc 



PR 



k 



CLR 



-Y2 



^G1,Q2.G3 



03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug. 12, 2003 sheet 7 of 17 US 6,606^85 Bl 



52 

Li. 




03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug. 12, 2003 Sheet 8 of 17 US 6,606,385 Bl 



O 
O 



eg 



CO 



X 

V 
V 
V 

X 

II 




+ 

V 
V 
V 

II 



eg 

V 
V 
V 

X 
II 

55 



II 



8 



8 



+ 

eg 

V 
V 
V 

II 



+ 
II 

3 



II 

S 



o 

I 

o 

s 



+ 

V 
V 
V 

X 

tl 



8 



I 

O 

8 
8 



5 

+ 

eg 

V 
V 
V 

X 

It 

S5 



in 




03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug. 12, 2003 sheet 9 of 17 US 6,606,385 Bl 



FIG. 12 



WORK KEYS 

102- ^ KA: 32 BITS 

103- ^ KB: 32 BITS 

mz: 



WORK KEY 
104^ KG: 30 BITS 



ENCRYPTION TEXT 



M: 64 BITS 



0 



PLAIN- 
TEXT 



I 



C: 64 BITS 



DECRYPTION ,^ni 
UNIT ^^"^ 



'105 



'101 



03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug. 12, 2003 Sheet 10 of 17 US 6,606,385 Bl 



FIG. 13 



DATA KEY 



KD : 40 BITS 



'501 



LEAST 
SIGNIFICANT 
32-BITDA 



MOST 
StQNtFICANT 
32-plTPATA 



WORK KEYS 



KA : 32 BITS 



LEAST 
SIGNIFICANT 
32-BIT DATA 



KB : 32 BITS 



WORK KEY 



KEY GENERATING UNIT 



KG : 30 BITS 

1 



104 



'502 



PLAIN-TEXT 



-102 

'103 



C: 64 BITS 



ENCRYPTION 
UNtT 



ENCRYPTED 
TEXT 



M: 64 BITS 



'101 



'106 



-^05 



03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug. 12, 2003 sheet 11 of 17 US 6,606,385 Bl 



FIG. 14 



1001 



1002 



1003 



1004 



1005 



1006 



1007 



1009 



1010 



1011 



N=N+1 



C START ^ 

I 

L'-MOST SIGNIFICANT 
32-BIT DATA OF 0 

R*-LEAST significant! 
32-BIT DATA OF C 



I 



N=1 



Q=INT(KG,N) 



X=L©KA 



X=FUNC(X,KQ,N,Q)+1 



X=FUNC(X,KG,N,0) 



X = X + KB 



1008~ X = FUNC(X,KG,N,Q) 



X = X + R 



1013 



1014 



MoLOR 



C ^ ) 



DIVISION OF PLAIN-TEXT 
CTO DATA LAND R 



INITIAUZATION OF 
' COUNTER N 

INITIAUZATION OF 
LOCAL VARIABLE Q 
OF CYCLIC SHIR- 
GENERATING MODULE 

. EXCLUSIVE ORING 
WrmKEYKA 

CYCUC SHIFT AND 
ADDITION 

CYCUC SHIFT AND 
ADDITION 




ADDITION WITH KEY KB 

. CYCUC SHIFT 
AND ADDITION 

ADDITION 
UPDATING OF R 
UPDATING OF L 

REPEAT TEN TIMES 



COMPOSE ENCRYPTED 
TEXT FROM 

COMBINATION OF L AND R 



03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug. 12, 2003 sheet 12 of 17 US 6,606,385 Bl 



FIG. 15 

iNrr(KG,N) 




^1101 



( RETURN 1 ^ ( RETURN 0 ^ ( RETURN 2 ^ 



FIG. 17 



EQUIPMENTS 



(5) 



1304^ 



ENCRYPTION 
APPARATUS 



DECRYPTION 
APARATUS 

130? 



1301 



X 



EXTERNAL BUS 



(1) RB i Textl I 

1309 



(2) TokenAB I 
1308 



\j W ^"'^""^ ^310^ 



1303 



EQUIPMEm'#B 



1 



1306 



DECRYPTION 
APPARATUS 



ENCRYPTION 
APPARATUS 



T 



1307 



(3) 



•1302 



TokenAB ° Text3 I eKAB(RA I RB I IB I TexS) 
TokenBA = Texts I eKAB(RB I RA I JwM) 



03/10/2004, EAST Version: 1.4.1 



U,S, Patent Aug. 12, 2003 sheet 13 of 17 



US 6,606,385 Bl 




03/10/2004, EAST Version: 1.4.1 



U.S, Patent Aug. 12, 2003 sheet 14 of 17 



US 6,606,385 Bl 




03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug. 12, 2003 Sheet 15 of 17 US 6,606,385 Bl 



FIG. 19 



1402 




1404 



FIG. 20 




1409 



1402 
1407 



FIG. 21 



- IDA 






- IDB 


IDC ' 


COffTENTS DATA 



-1416 
1414 



03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug. 12, 2003 Sheet 16 of 17 US 6,606,385 Bl 




03/10/2004, EAST Version: 1.4.1 



U.S. Patent Aug. 12, 2003 Sheet 17 of 17 US 6,606,385 Bl 




03/10/2004, EAST Version: 1.4.1 



us 6,606,385 Bl 



DATA ENCRYPTING/DECRYPTING 
CONVERSION METHODS AND 
APPARATUSES AND DATA 
COMMUNICATION SYSTEM ADOPTING 
THE SAME 



BACKGROUND OF THE INVENTION 

The present invention relates to encryption/decryption 
techniques for encrypting/decrypting digital data transferred 
among computers, home-use -destined electric/electronic 
equipment and the like. 

In the digital home-use-destined electritVelectroQic equip- 
ment promising further development in the future, the 
encryption/decryption technology is indispensably required 
for preventing or disenabling unauthorized or illegal copy- 
ing of digital data. 

As the encryption technology known heretofore there has 
already been proposed what is known as the RC5 encryption 
algorithm in which data-dependent cyclic shift operation 
(also called end-around, circular or ring shift operation) is 
adopted, as is disclosed in R. L. Rivcst: "The RC5 Encryp- 
tion Algorithm", FAST SOFTWARE ENCRYPTION, 2nd 
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user-by-user basis and the cyclic shift can be varied or 
changed dynamically. However, because such algorithm 
structure is adopted that the dynamic change of the cyclic 
shift depends on the data for encryption the RC5 encryption 
algorithm suffers a drawback of not being sufiBcienlly hard 
against the selective plain-text attack, one of the cryptanaly- 
sis methods. For more particulars in this respect, reference 
should be made to Lar R. Knudsen, Willi Meier: 
"IMPROVED DIFFERENTIAL CRYPTANALYSIS ON 
RC5", Advances in Cryptology-CRYPTO'96, Springer- 
Verlag, 1996. 

SUMMARY OF THE INVENTION 

In the light of the state of the art described above, it is an 
object of the present invention to provide encrypting con- 
version method and apparatus which are capable of control- 
ling dynamically the cyclic shift independent of data for 
conversion and additionally capable of realizing the encrypt- 
ing conversion with highly enhanced randomness with a 
simplified system configuration. 

Another object of the present invention is to provide 
method and system for decrypting the encrypted text. 

Yet another object of the present invention is to provide a 
data communication system in which the encrypting/ 



International Workshop, Springcr-Verlag, (1995). The RC5 25 decrypting conversion techniques taught by the invention 
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encryption algorithm is designed such that processed data 
length (i.e., the length of data to be processed) of w bits, 
secret key length of b bytes and processing round number r 
are variable. For having better understanding of the concept 
underlying the present invention, the RC5 encryption algo- 
rithm will be explained below in some detail. 

For the text data which has not undergone any encrypting 
conversion processing (hereinafter referred to simply as the 
plain -text data) and which is given by "LfO] and R[0]", 
where L(0] represents more significant w/2 bits of the 
processed data length of w bits, and R[0] represents least 
significant w/2 bits thereof, there can be obtained through 
the RC5 encryption algorithm an encrypted text "L(2r+1], 
R[2r+1]" which can be derived through the procedure 
defined by the following expressions: 



where l^N^2r, and 
where l^N^2r. 

In the above expressions, the repetition represented by 
"l^N£2r" is illustrated for "N" in FIG. 23 of the accom- 
panying drawings. In conjunction with the above definition, 
arithmetic expression "A +B" in general represents a 
remainder resulting from division of a sum of "A" and "B" 
by the x-th power of "2'\ and operation symbol "EOR" 
represents an exclusivc-OR on a bit-by-bit basis. Further, 
expression "x«<y" in general represents arithmetic opera- 
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are adopted. 

In view of the above and other objects which will become 
apparent as the description proceeds, there is provided an 
encryption system or apparatus for generating a encrypted 
text data of a predetermined length as an encrypted block 
from a plain-text data and key or keys as inputted, which 
apparatus includes: 

(1) at least two fixed cyclic shift processing modules for 
cyclically shifting data leftward or rightward, 

(2) a cyclic shift processing selecting module for selecting 
the fixed cyclic shift processing means, and 

(3) a cyclic shift processing sequence determining module 
for determining an order or sequence for the selection 
of the cyclic shift processing selecting module on (he 
basis of data for determining the shift number selecting 
sequence. 

Thus, there is provided according to an aspect of (he 
present invention an encrypting conversion apparatus which 
receives as inputs thereto at least one key and plain-text data 
to thereby output encrypted text data, which apparatus can 
be implemented in hardware fashion or software fashion and 
includes a cyclic shift processing module for determining a 
shift number on the basis of data for determining a shift 
number selecting sequence, a module for dividing inputted 
plain-text data into first data and second data and setting the 
first data as data L[l] while setting the second data as data 
R[l], at least one stage of an encrypting conversion pro- 
cessing module for receiving as inputs thereto data L[N] and 
R[N] to thereby output data L{N+1] and data R[N+1], 
wherein the encrypting conversion processing module is so 
arranged as to perform at least once for the data L[N] a 
conversion processing by using the key and a cyclic shift 
processing by means of the cyclic shift processing module, 
respectively, to thereby generate data X and wherein a value 



tion of shifting repelitionally "x" to the left (leftward shift) 60 derived from arithmetic operation of the data R[N] and the 



by least significant log(w) bits of "y". According to the RC5 
encryption algorithm, twice repetition of the arithmetic 
operation shown in FIG. 23 is referred to as one stage 
operation. The encrypted text can be generated by repeating 
the one-stage operation r times. 

Major features of the RC5 encrypting algorithm can be 
seen in that the length of the secret key is variable on a 



data X is set as the data L[N+1] while the data L(N] being 
set as the data R[N-»-l], and a module for outputting a 
combination of two output data from a final stage of the 
encrypting conversion processing module as an encrypted 
text 

In a mode for carrying out the invention, the cyclic shift 
processing module may be so arranged as to include at least 
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two different fixed cyclic shift processing modules each for FIG. 4 is a view showing relations between control signals 

performing cyclic shift by a fixed number of bits leftward or Gl, G2 and G3 and a cyclic shift number S in the processing 

alternatively rightward, a cyclic shift processing selecting shown in FIG. 3; 

module for selecUng the fixed cyclic shift processing FIG. 5 is a circuit diagram showing a circuit configuration 

module and a cyclic shift processing sequence dctcrmming 5 for realizing encrypting conversion through the processing 

module for determining a selecting sequence for the cyclic shown in HG 3- 

shift processing selecting modules on the basis of data for * * 

determining the shift number selecting sequence. FIG. 6 is a wiring diagram showing schematjcally struc- 

In another mode for carrying out the invention, the data t^rcs of a leftward 2-bit cyclic shifter and a leftward 8-bit 

for determining the shift number selecting sequence may be cyclic shifter shown in FIG. 5; 

generated on the basis of the aforementioned key. FIG. 7 is a view for illustrating control for a multiplexer 

Further, according to another aspect of the present which is designed for switching the cycUc shifters shown in 

invention, there is provided a decrypting conversion appa- piG 5' 

ratus which receives as inputs thereto aUeast one key and pj^. ' ^ ^ ^.^^ illustrating relations between initial 

encrypted text data to thereby output plam-text data which ^ ^ . ^ ^ ^ ^.^ ^ 

apparatus can be implemented hardware-wise or software- ^5 uuu iiu^iuai » 01 , J" ^ u 

wise and includes a cyclic shift processing module for ^^""^ """"^'^ ^"^^^^ 

determining a shift number on the basis of data for deter- FIG. 9 is a diagram for illustrating in detail a arcuit 

mining a shift number selecting sequence, a module for configuration of the cyclic shift number generating circuit 

dividing inputted encrypted text data into first data and shown in FIG. 7; 

second data and setting the first data as data L[l] while 20 pIG. 10 is a view for illustrating the cflfcct of the cyclic 

setting the second data as data R[l], at least one stage of a ^^^^ for data diEFusion (case #1) in the encrypting conversion 

decrypting conversion module for receiving as inputs thereto process- 

data UN] and R[N] to thereby output data and data ^ ^ ^.^^ mustrating the effect of the cyclic 
R[N+1] wherem the decrypUng conversion module is so shift for data diffusion (case #2) in the encrypting conversion 
arranged as to perform at least once for the data R[N] a 25 process- 
conversion processing by using the key and a cyclic shift ^ ' , 

processing by means of the cyclic shift processing module, 12 is a block diagram showmg schematically a 

respecUvely, to thereby generate data X and wherein a value 5^"^^;! arrangement of a decrypfing conversion apparatus 

derived from arithmetic operation of the data UN] and the according to an embodiment of the mvention; 

data X is set as the data R[N+1] while the data R[N] being 30 FIG. 13 is a block diagram showmg a circuit arrangement 

set as the data L(N+1], and a module for outputting a for generating a data key fi-om a plurality of work keys used 

combination of two output data from final stage of the in carrying out the invention; 

encrypting conversion module as a plain-text. FIG. 14 is a flow chart for illustrating processing when the 

In a mode for carrying out the invention, the cyclic shift present invention is carried out softwarewisc; 

processing module may be so arranged as to include at least 35 piG. 15 is a flow chart for illustrating an local variable 

two different fixed cyclic shift processing modules each for initialize funcUon incorporated in a cyclic shift generating 

performing cyclic shift by a fixed number of bits leftward or module used in the conversion process shown in FIG. 14; 

alternatively rightward, a cyclic shift proces^ng selecting pj^ ^ ^^^^ illustrating cyclic shift and add 

module for selecting the fixed cyclic shift processmg ^^^^^^^ conversion process shown in HG. 14; 

module, and a cyclic shift processing sequence determining 4o . . 

module for determining a selecting sequence for the cyclic ^1^. 17 is a schematic block diagram illustrating a 

shift processing selecting modules on the basis of data for counterpart authenticity van fymg scheme according to 

determining the shift number selecting sequence. '^n^"^" embodiment of the mvention; 

In a further mode for carrying out the invention, the data FIG. 18 is a block diagram showing a package contents 

for determining the shift number selecting sequence may be 45 distributing/circulating system according to a yet another 

generated on the basis of the aforementioned key. embodiment of the present invention; 

By virtue of the arrangements described above, the cyclic FIG. 19 is a schematic view for illustrating an example of 

shift can be dynamically controlled independent of the data contents data which contains electronic transparent infor- 

for conversion, and the encrypting conversion as well as the mation; 

decrypting conversion can be realized with highly enhanced 50 pIG. 20 is a view showing schematically and illustratively 

randomness with a simple system configuration. another example of the contents data which contains elec- 

The above and other objects, features and attendant ironic transparent information; 

advantages of the present invention will more easily be FIG. 21 is a view showing schematically and illustratively 

understood by reading the following description of the ^^^^^^^ ^^^^ ^^ ^^^^^^^ ^^.^^ ^^^^^.^^ 

preferred embodiments thereof taken, only by way of ss electronic transparent information; 

example, m conjunction with the accompanymg drawmgs. . . , ..... 

FIG. 22 is a view showing a distributmg/circulatmg 

BRIEF DESCRIPTION OF THE DRAWINGS system for contents according to still another embodiment of 

In the course of the description which follows, reference the present invention; and 

is made to the drawings, in which: FIG. 23 is a view for illustrating RC3 encryption algo- 

FIG. I is a block diagram showing schematically and rithm known heretofore, 
generally an arrangement of an encrypting conversion appa- 
ratus according to an embodiment of the present invention; DESCRIFHON OF THE PREFERRED 

FIG. 2 is a block diagram showing in detail a configura- EMBODIMENTS 

tion of an encryption unit shown in FIG. 1; 65 The present invention will be described in detail in 

FIG. 3 is a view for illustrating conversion processing conjunction with what is presently considered as preferred 

performed at an N-th conversion stage shown in FIG. 2; ortypicalembodimentstfaereofby reference to the drawings. 
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Embodiment 1 

The encryption/decryption techniques according to the 
present invention will be described by reference to FIG. 1 
which is a block diagram showing schematically and gen- 
erally an arrangement of an encrypting conversion apparatus 
according to an embodiment of the present invention. Refer- 
ring to FIG. 1, a clear or plain text (C) 101 is inputted to an 
encryption unit 106 together with a work key (KA) 102 of 
32 bits, a work key (KB) 103 of 32 bits and a work key (KG) 
104 of 30 bits. After enciphering or encrypting conversion, 
an encrypted text (M) 105 of 64 bits is outputted from the 
encryption unit 106. At this juncture, it should be mentioned 
that the work key (KG) 104 may also be referred to as the 
algorithm key because this key serves for determining the 
algorithm to be realized in the encryption unit 106. 

RG. 2 is a block diagram showing in detail a configura- 
tion of the encryption unit 106 shown in FIG. 1. The 
plain-text (C) 101 of 64 bits inputted to the encryption unit 
106 is separated or divided into more significant 32-bits data 
L[l] and least significant 32-bit data R[l], whereon both the 
data undergo repetitionally encrypting conversions at a first 
conversion stage 201 to a tcn-lh conversion stage 203, 
respectively. Finally, both the finally obtained more signifi- 
cant 32-bit data L[ll] and least significant 32-bit data R[U] 
undergone the encrypting conversions mentioned above are 
combined together, whereby the encrypted text (M) 105 is 
generated to be outputted from the encryption imit 106. The 
encrypting conversion processing performed at a given or 
N-th conversion stage 202 is determined by control signals 
Gl, G2 and G3 which are outputted from an N-lh cyclic shift 
number generating stage 205 (where N represents an arbi- 
trarily given natural number) to which 3-bit values KG{3N- 
1}, KG{3N-2} and KG{3N-3} of the work key (KA) 102. 
the work key (KB) 103 and the work key (KG) 104, 
respectively, are inputted. Parenthetically, KG{x} in general 
represents the x-th bit of the work key KG. 

FIG. 3 is a view for illustrating, by way of example only, 
the conversion processing performed at the N-th conversion 
stage 202 shown in FIG. 2. Further, FIG. 4 is a view for 40 
illustrating operation involved in the conversion processing 
shown in FIG. 3. More specifically, FIG, 4 shows relations 
between the control signals Gl, G2 and G3 and the cyclic 
shift number S. The encryption process according to the 
instant embodiment of the invention is realized by a trans- 
position processing for efifectuating the cyclic shift of con- 
cerned data itself and substitution processing including logic 
operation and arithmetic operation with other data. The 
processing contents illustrated in FIG. 3 will be described in 
order. 

(1) An exclusive-OR (©) of "L(N)" (i e., most significant 
32-bit input data to the N-th conversion stage) and the 
work key KA is determined and denoted by "XI". This 
corresponds to a processing 301 shown in FIG. 3. Thus, 
the processing 301 can be expressed as follows; 
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jn-L[N]EOR KA 

At this juncture, it is presumed throughout the description 
that general arithmetic expression "A EOR B" represents an 
cxclusive-OR of "A" and "B". 

(2) On the basis of a 2-bit output value Gl derived at the 
N-th cyclic shift number generating stage 205, the cyclic 
shift number S is determined in accordance with the 
relevant relation shown in FIG. 4. Subsequently, a value 
resulting from the leftward cyclic shift of the exclusive- 
OR XI by the shift number S bits is added with "XI" and 
"1". The sum obtained from this addition is represented 
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by "X2". This corresponds to the processing denoted by 
reference numeral 302 in FIG. 3. Expressing 
mathematically, 

Xl-iXl<«S)+Xl+l 

In this conjunction, it is presumed throughout the sped- 
flcation that Uie expression "A«<B" in general represents 
that "A" undergoes cyclic shift by "B" bits leftwards. 
Equally, it is presumed throughout the description that the 
arithmetic expression "A+B" in general represents a remain- 
der resulting from division of the result of addition of "A" 
and "B" by the 32nd power of "2". This operation "A+B" 
will also be referred to simply as the addition. 

(3) on the basis of a 2-bit output value G2 derived at the N-th 
cyclic shift number generating stage 205, the cyclic shift 
number S is determined in accordance with the relevant 
relation shown in FIG. 4. Subsequently, a value resulting 
from the leftward cyclic shift of "X2" by the shift number 
S bits is added with "X2". The sum obtained from this 
addition is represented by "X3". This corresponds to the 
processing denoted by reference numeral 303 in FIG. 3. 
Expressing mathematically, 

(4) Addition between "X3" and the work key KB is 
performed, the result of which is represented by "X4". 
This corresponds to the processing denoted by reference 
numeral 304 in FIG. 3. Thus, expressing mathematically, 

X4-X3+KB 

(5) On the basis of a 2-bit output value G3 derived from the 
N-th cyclic shift number generating stage 205, the cycUc 
shift number S is determined in accordance with the 
relevant relation shown in RG. 4. Subsequently, a value 
resulting from the leftward cyclic shift of "X4" by S bits 
is added with "X4". ITie sum obtained from this addition 
is represented by "X5". This corresponds to the process- 
ing denoted by reference numeral 305 in FIG. 3. Express- 
ing mathematically, 

XS~(X4«<S)*X4 

(6) The result of the addition of "X5" and *'R[N]" (i.e., least 
significant 32-bit input data to the N-th conversion stage) 
is outputted from the N-th cxinvcrsion stage 202 as the 
more significant 32-bit output data L[N+1]. This corre- 
sponds to the processing denoted by reference numeral 
306 in FIG. 3. Expressing mathematically, 

(7) The more significant 32-bil input data L[N] of the N-th 
conversion stage is converted to the least significant 
32-bit ou^jut data R[N+1] of the N-th conversion stage 
202. This corresponds to the processing denoted by ref- 
erence numeral 307 in FIG. 3. Expressing mathematically. 

When the encrypting conversion processing (1) to (5) 
described above are summarized in the form of a function 
"F(LfN], K, G)", the processing performed at the N-ih 
conversion stage 202 can be stated as follows: 

In the foregoing, the encrypting conversion processing 
according to the invention have been described in detail. 
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Next, description will be directed to a circuit configura- the sequencer circuit are illustrated in a status transition 

tion of the encrypting conversion apparatus. diagram of the cyclic shift number generating circuit 701 

FIG. 5 is a circuit diagram showing a circuit configuration shown in RG. 7. 

of the N-th conversion stage 202 according to the instant ^^.^ '^^^^ ^^^^^^ ^^^^ ^^^^ ^ 

embodiment of the mvention as implemented in hardware. 5 , , . . ' , „^ 

Referring to the figure, the circuit now under consideration '"'P^^y^^ ^ "^P^* P*» ^ ^ "^^^'^^ ^2, 

is comprised of registers 601, 603 and 6U, an adder 605, an where PO, PI and R2 are given as follows: 
exclusive-OR circuit 612, two-input multiplexers 602 and 

607, three-input multiplexers 604 and 606, a leftward 2-bit Fl-KG{3N-2} 

cyclic shifter 608, a leftward 8-bit cyclic shifter 609 and a lo 

leftward 14-bit cyclic shifter 610. The data width is of 32 Pl-KG{3N-3} 
bits without exception. 

Execution of the conversion processions shown in FIG. 3 PIG. 8 is a view for illustrating relations between (he 

can be completed vidthin six cycles by controlling the initial values PI and P2 and the internal statuses. To say in 

multiplexers 602, 604, 606 and 607 so that the processions 15 another way, the initial values of the internal statuses arc 

designated by the reference numerals 301 to 306 in FIG. 3 determined as shown in FIG. 8 when a signal LOAD is 

can be realized. The three-input multiplexer 606 designed "high". Incidentally, the cyclic shift number generating 

for switching the cyclic shifter is controlled by the control circuit 205 can be implemented in a simple circuit configu- 

signals Gl, G2 and G3 outputted sequentially from the N-th ration. FIG. 9 is a circuit diagram of the cyclic shift number 

cyclic shift number generating stage 205. 20 generating circuit. As is obvious for those skilled in the art, 

FIG. 6 is a view showing schematically structures of the the circuit configuration shown in FIG. 9 is that of a ternary 

leftward 2-bit cyclic shifter 608 and the leftward 8-bit cyclic counter. 

shifter 609 both of which can be realized by resorting to a h u ^ . ^ ^- , ,u . u- ^ e 

, , . " As will now be understood, according to the teachings of 

simple wired logic. , ... . • , . 

no. 7 is a view for illustrating the control for the 25 the present invention incarnated in the arrangement shown 

three-input multiplexer 606 which is designed for switching ^}^: ^' encrypUng conversion is earned out by 

the cyclic shifter. Referring to the figure, the three-input combming the transposition processing reahzed by 2-bit, 

multiplexer 606 receives as the input data thereto the 32-bit ^-bit and 14-bit leftward cydic shift with the substitution 

outputs from the leftward 2-bit cydic shifter 608, the processing, wherem the bil number for the cychc shift at 

leftward 8-bit cydic shifter 609 and the leftward 14-bit 30 each stage is determined as shown in FIG. 4 on the basis of 

cyclic shifter 610, respectively. Further, the 2-bit control Ihc values of the control signals 01, G2 and G3 which in 

signals Gl, G2 and G3 arc inputted sequentially to the turn are determined by the algorithm key KG, as can be seen 

three-input multiplexer 606. In response to each of the in FIG. 2. Since the control signals Gl, G2 and G3 at each 

control signals Gl, G2 and G3, the three-input multiplexer stage assume mutually different values without exception. 

606 selects one input data from the three input data men- 35 there can be conceived 6 (-3!) different orders or sequences 

tioned above to thereby output the selected data as the output for the cyclic shift operation. In the system according to the 

value of 32 bits. At this juncture, it is to be mentioned that instant embodiment of the invention, it is assumed that ten 

the relations between the output values of the three-input encrypting conversion stages are provided. Consequently, 

multiplexer 606 and the control inputs Gl, G2 and G3, the order or sequence for the cydic shift operation is 

respectively, are such as defined in FIG. 4. The control 4o ^^j^^^g^ definitely from 6'° (tenth power of six) types or 

inputs Gl, G2 and G3 for the three-input mulUplexer 606 are varieUes. Thus, it is safe to say that the encrypting conver- 

arithmetically determined by a cydic shift number generat- ^-^^ ^^j-^^^ ^.^^^ randomness owing lo the 

ing circuit 701 shown in RG. 7^ParentheUcally. the cychc ^^^^^^^ jj^^ .^^^^^^^ 
shift number generating circuit 701 corresponds to the cychc 

shift number generating unit shown in FIG. 2. 45 Next, in conjunction with the encrypting conversion iUus- 

The cydic shift number generating drcuit 701 is imple- t'ated in FIG. 3, the eEfect of the cyclic shift as exerted to the 

mcntcd in the form of a sequencer circuit which can assume data diffusion will be examined. To this end, FIGS. 10 and 

three internal statuses QO, Ql and 02. When the input PO is H illustrate the encrypting conversion processes in the 

"0", the internal statuses (QO, Ql and Q2) of the sequencer encrypting conversion system according to the instant 

circuit constituting the cyclic shift number generating circuit 50 embodiment of the invention on the conditions that 
701 make state transitions in response to synchronizing 

signals as follows: ka-kb-o 

where KA and KB represent the work keys, respectively, 

01-G2 5^ 

L(l)-«lll-0 

On the other hand, when the input PO is "1", the under- ^^^T represents the more significant 32-bit data with 

mentioned status transitions take place. rcpresenUng the least significant 32.bU data, and that 

the sequences of the cyclic shifts are as follows: 



00-02 

Ql^QQ Cate #1 (FIG. 10) : 2 8 14: ai ihe fim tiage 

02-01 



Thus, the sequencer circuit can be represented by a 
ternary increment/decrement counter. The output values of 



2 -4 14 -» 8: ai the tecoad siagc 
8 -t 2 -* 14: at the thiid ttoge, and 
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-continued 
Case #2 {FIG. ! 1): 8 -♦ 14 -* 2: at the first stage 

14 2 8: at the second stage 
14 8 -» 2: at the third stage 

The first bit "1" produced through the first-stage encrypt- 
ing conversions 4001 (HG. 10) and 5001 (FIG. 11) and 

given by 

exerts influence to the median significant bit through the 
cyclic shift till the second-stage encrypting conversions 
4002 (FIG. 10) and 5002 (FIG. 11), and through the third- 
stage encrypting conversions 4003 (FIG. 10) and 5003 (FIG. 
11), all the bits are diffused. Further, comparison of the case 
#1 with the case #2 shows that conversion to utterly different 
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2 bits, leftward-shift-destined 8 bits or leftward-shift- 
destined 14bits with the work key KG (i.e., the data for 
determining the shift number selecting sequence). It is 
however noted that substantially same effects can be 
obtained by changing the number of bits to be shifted 
leftward or rightward as well as the number of different 
types of cyclic shift processions. Besides, the work key KG 
may be set previously and undergo no change or alterna- 
tively the work key KG may be altered on a period-by- 
pcriod basis. By way of example, the cyclic shift conversion 
unit may be so designed as to select leftward-shift-destined 
2 bits, Icftward-shift-dcstined 9 bits and leftward-shift- 
destined 19 bits. In this conjunction, such change of the bit 
strings to be shifted leftward or rightward can easily be 
realized simply by changing correspondingly the wired logic 
shown in FIG. 7 without involving any appreciable change 
in the circuit scale. 
Further, in conjunction with the encrypting conversion 

, , „ , apparatus shown in FIG. 3, it has been assumed that the 

values ,s realized which means Uiat changes of the sequence ^^^j^ ^^^^ ^^^^ ^ ^^^^ ^ 

handled as the independent keys. However, such scheme can 
equally be adopted in which these keys are generated from 
a single data key KD. An exemplary circuit configuration to 
this end is shown in RG. 13. Referring to the figure, a key 
25 generating unit 502 is designed to generate the work key 
KA, the work key KB and the work key KG from a data key 



of the cyclic shifts is effective for the data diffusion. 

Now, description will turn to a decrypting conversion 
processing according to the instant embodiment of the 
invention. 

FIG. 12 is a block diagram showing schematically a 
general arrangement of a decrypting conversion apparatus 
according to the instant embodiment of the invention. Refer- 
ring to the figure, inputted to a decryption unit 401 are an 
encrypted text (M) 105 of 64bits, a work key (KA) 102 of 
32 bits, a work key (KB) 103 of 32 bits and a work key (KG) 3^ 
104 of 30 bits. After the decrypting conversion performed 
for the encrypted text (M) 105, a plain-lext (C) 101 of 64 bits 
is outputted from the decryption unit 401. Needless to say, 
the decryption unit 401 has a function of converting the 
inputted encrypted text to an original plain-text. As 3^ 
described previously, (he encrypting conversion processing 
at the N-lhe stage is stated as follows: 

Accordingly, the decrypting conversion processing at the ^0 
N-lh stage can be given by the following expressions: 



At this juncture, it should be mentioned that throughout 
the specification, the arithmetic expression "A-B" in gen- 
eral represents a remainder resulting from division of the 
result of subtraction between "A" and "B" by the thiriy- 
sccond power of "2". Hereinafter, "A-B" will also be 
referred to simply as the subtraction. Thus, it will be 
understood that the decryption unit 401 can be realized by 
replacing the addition circuit 306 shown in FIG. 3 by a 
subtraction circuit. Further, at a given N-th decryption 
processing stage (where N represents a natural number), the 
inputs "R[N+1]" and "L[N4l]" are processed to be output- 
ted as "R[N]" and "L{N]". The decryption can be realized by 
repeating the above processing ten times at the respective 
decrypting stages. 

Embodiment 2 

A second embodiment of the present invention will be 
described. 

In the case of the encrypting conversion system according 
to the first embodiment of the invention described herein- 
before by reference to FIG. 3, it has been assumed that the 
cycUc shift encrypting conversion unit is so designed as to 
select three types of bit strings, i.e., leftward-shift-destined 



45 



50 



60 



(KD) 501 in such manners as defined below: 

1) Work key KA is generated by the addition of the more 
significant 32 bits and least significant 32 bits of the 
data key KD. 

2) Work key KB is generated by using the more significant 
32 bits of the data key KD. 

3) Work key KG is generated by using the least significant 
30 bits of the work key KA. 

Embodiment 3 

Next, referring to FIG. 14, description will be made of a 
third embodiment of the invention which is directed to 
realization of the teachings of the invention by resorting to 
software technique. 

In the instant embodiment of the invention, nine data 
mentioned below are used. 

L : data to undergo encrypting conversion (32 bits) 
R : data to undergo encrypting conversion (32 bits) 
KA : data of work key #1 (32 bits) 
KB : data of work key #1 (32 bits) 
KG : data of work key #2 (32 bits) 
0 : internal status value of cyclic shift generating module (8 
bits) 

N : counter value (8 bits) 

X : data for the work (32 bits) 

S : data for the work (32 bits) 

Now, processing contents Ulustrated in FIG. 14 will be 
described in order. 

(1) In a processing step 1001 shown in FIG. 14, a plain-text 
C of 64bjts is divided into more significant 32-bit data 
which arc substituted for (or set as) the encrypting con- 
version undergoing data L and the encrypting conversion 
undergoing data R, respectively. 

(2) In a processing step 1002 shown in FIG. 14, a counter 
value N is set to "1". 

(3) In a processing step 1003 shown in FIG. 14, a returned 
value of an local variable initializing function INIT(KG, 
N) incorporated in the cyclic shift generating module is 
substituted for the internal status value Q of the cyclic 
shift generating module. In the case of the instant embodi- 
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raent of the invention, the returned value of the local It is self-explanatory from the foregoing description that 

variable initializing function 1N1T(KG, N) incorporated in softwarewise decryption processings can be realized by 

Ihc cyclic shift is determined from the values of the work replacing the addition processing 1009 shown in FIG. 14 by 

key (#2) KG{3N-3} and the work key (#2) KG{3N-2} in the subtraction processing. In the foregoing, the embodiment 

a processing step 1101 shown in FIG. 15. s of the invention which is directed to the softwarewise 

(4) Exclusive-OR of the encrypting conversion undergoing realization of the encrypUon processing and the decryption 

data Land the work key (#1) data KAis substituted for (or processing has been described. As can readily be 

set as) the work-oriented data X in a processing step 1004 undcretood. intclUgenl encryption processing can be realized 

shown m FIG. 14. withsimple software structure. Accordingly, the teachings of 

{5)In aproccssmgstcp lOOSshownin FIG. 14, the rctumed ,„ • „ „ .u- .,^t-«* 

value S-FUNC(X, KG, N, Q) from the cyclic shift and .r^"*"" '"^^'"f^^^^"^ instant embodim nt can 

add function is added ^^ith "1" and is substituted for (or 'l'']y 'P?^'''^ /° home-use-destmed electnc/ 

set as) the work-oriented data X. ^k^iwm<^ equipment. 

(6) In a processing step 1006 shown in FIG. 14, the returned Embodiment 4 

value S=FUNC(X, KG, N, 0) from the cyclic shift and ....... 

add function is substituted for the worknoriented data X. ^5 A fourth embodiment of the mvention is directed to 

(7) The work-oriented data X is added with the work key authentication of a counterpart. This embodiment will be 
(#1) KB data and substituted for the work-oriented data X described by referring to FIG. 17. It is assumed that an 
in a processing step 1007 shown in FIG. 14. equipment (A) 1301 and an equipment (B) 1302 are inler- 

(8) In a processing step 1008 shown in FIG. 14, the returned connected through a network or an external bus 1303 and 
value S=E^NC(X, KG, N, Q) from the cyclic shift and 20 that the equipment (A) 1301 and (he equipment (B) 1302 are 
add function is substituted for the work-oriented data X. horae-usc-dcstincd clcctric/clcc-tronic equipment, personal 

(9) The work-oriented data X is added with the encrypting computers or the like. Besides, it is presumed that each of 
conversion undergoing data R and substituted for (or set encryption apparatuses 1304 and 1307 and each of decryp- 
as) the work-oriented data X in a processing step 1009 tion apparatuses 1305 and 1306 are implemented in the form 
shown in FIG. 14. 25 of the encryption apparatus and the deayption apparatus 

(10) The encrypting conversion undergoing data L is sub- described hereinbefore by reference to FIGS. 1 and 12, 
stituted for the encrypting conversion undergoing data R respectively. Now, descripUon wiU be made of the authen- 
ma processing step 1010 shown in FIG 14. counterpart equipment in the system shown in 

(11) The workHDnenled data X is substituted for the encrypt- 

l(fll showTin fTg74°'''^ '^'^^ ^ ' processing step ^^^^^^^ equipment (B) 1302 generates 

(12) In'a pToc^"ssing step 1012 shown in FIG. 14, it is a random number RB and transn^its data RB||Text 1 to the 
decided whether or not the counter value N is smaller than equipment A, as indicated by reference numeral 1309. At 
"10" inclusive ^^^^ juncture, it is to be noted that "Text 1 represents 

(13) When it is decided in the decision step 1012 that the auxiUary information, and that the expression "X1|Y" in 
counter value N is not greater than "10", then the value of ^5 general represents combination of "X" and "Y". 

the counter value N is incremented by "1" (one) in a (2) The equipment (A) 1301 generates data given by the 

processing step 1013 shown in FIG. 14. Subsequently, the undermentioned expression and sends it to the equipment 

processing step 1003 is resumed. (B) 1302 as indicated by an arrow 1308. 

(14) On the other hand, if the counter value N is greater than Token AB-Text 31!eKAB (RA||RB[|IB||Text 2) In the above 
"10" in the step 1012, then the encrypting conversion 40 expression, "RA" represents a random number generated by 
undergoing data L is combined with the encrypting con- the equipment (A) 1301, "IB" represents the identifier of the 
version undergoing data R, the resuU of which is output- equipment (B) 1302, "Text 2" and "Text 3" represent 
ted as an encrypted text M. auxiliary information, and "eKAB(X)" represents that "X" 
The cyclic shift and the add function FUNC(X, KG, N, Q) is encrypted with a shared secret key KAB common to both 

arc realized through the processions illustrated in a flow 45 Ihc equipment (A) 1301 and the equipment (B) 1302, 

chart of FIG. 16. The contents of the processions shown in (3) Upon reception of the data "Token AB", the equipment 

this figure will be described below. (B) 1302 decrypts the enciphered text portion to thereby 

(1) On the basis of the internal status value 0, the leftward confirm that the identifier IB as well as the random 
cyclic shift by 2 bits, by 8 bits or by Kbits is performed number RB sent to the equipment A is correct. 

for the work-oriented data X, the result of which is saved so (4) The equipment (B) 1302 generates data given by the 

as the work-oriented data S in a processing step 1201 undermentioned expression and sends it to the equipment 

shown in FIG. 16. (A) 1301 as indicated by an arrow 1310. 

(2) Result of the addition of the work-oriented data S and the Token BA»Text 5||eKAB (RBi|RA||IA)|Text 4) 
work-oriented data X is again saved as the work-oriented In the above expression, "Text 4" and "Text 5" represent 
data S in a processing step 1202. 55 auxiliary information. 

(3) In case the value of the work-key (#2) data KG{3N-1} (5) Upon reception of the data "Token BA", the equipment 
is "0", the internal status value Q is updated to a value (A) 1301 decrypts the enciphered text portion to thereby 
equal to a remainder resulting from division of the result confirm that both the random number RB received from 
of incrementation of the internal stams value Q by "1", the equipment (B) 1302 at the above-mentioned stage (1) 
whereas when the value of the work key (#2) data 60 and the random number RA sent to the quipraent(B) 1302 
KG{3N-1} is "1", the internal status value Q is updated at the above-mentioned stage (2) are contained in the data 
to a value equal to a remainder resulting from division of "Token BA". 

the result of decrementation of the internal status value Q As is apparent from the above description in he para- 

by "1" (processing step 1203 in FIG. 16). graphs (1) to (5), the encryption apparatus as well as the 

(4) The value of the work-oriented data S is substituted for 65 decryption apparatus can enjoy the advantageous feature 
the returned value in a processing step 1204 shown in that the authenticity of the counterparts can be mutually 
FIG. 16. confirmed. At this juncUire, it should be added that the 
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auxiliary data or information Text 2 or Text 4 may be stored 
in the work key or data key. In that case, the data key or the 
work key can be shared by the equipment A and B with high 
security. 

Embodiment 5 

Next, description will be made of a system for circulating 
or distributing package contents such as DVD-vidco or the 
like according to fourth embodiment of the present inven- 
tion. FIG. 18 is a block diagram showing a package contents 
distributing/circulating system according to (he instant 
embodiment of the invention. 

Referring to the figure, a contents provider 1401 registers 
copyright information at a copyright managing facility 1418 
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The copyright managing facility 1418 serves to monitor 
or supervise the data transferred via a network. Upon 
detection of the data not decrypted, the contents identifica- 
tion information IDA contained in the data is matched with 
the information contained in a copyright information man- 
aging database 1420. When it is decided as the result of the 
matching thai the data of concern is unauthorized copy, the 
copyright managing facility 1418 traces the latter back to the 
origin by making use of the user identification information 
and can impose penalty. 

Embodiment 6 

FIG. 22 shows a distributing/circulating system for the 
digital contents via a broadcast system such as a digital 



to obtain contents idenUflcation information 0DA) 1402. satelUte broadcasting or the like according to a sixth 



25 



30 



The contents identification information (IDA) 1402 is 
embedded into the contents data 1403 by resorting to an 
electronic transparentizing technique (or so-called digital 
watermarking technique) which allows the identification 
information or the like to be contained in digital data in a 
hidden state, whereby package contents 1404 is finished. 
FIG. 19 is a schematic view illustrating the contents data 
contained in the package contents 1404, wherein the con- 
tents identification information O^A) 1402 is embedded as 
an electronic transparent information. 

When the contents data contained in the package contents 
1404 is to be transferred from the home-use -destined 
electric/electronic equipment (B) 1405 to a personal com- 
puter (C) 1411, the user identification information (IDB) 
1407 issued by the copyright managing facility 1418 is 
embedded in the contents data 1403 in the homc-usc- 
destined electric/electronic equipment (B) 1405, whereon 
the contents data 1403 having the electronic transparent 
information embedded is encrypted with key data (K) 1408 35 
by the encryption apparatus 1406 incarnating the teachings 
of the invention, to be output-ted onto the external bus as the 
encrypted text data. FIG. 20 is a view showing schematically 
and illustratively the contents data transmitted along a path 
1409, which contains the contents identification information 
(IDA) 1402 and the user identification information (IDB) 
1407 as the electronic transparent information. 

On the other hand, in the personal computer (C) 1411 
which receives the contents data from the homc-usc- 
destined electric/electronic equipment (B) 1405, the 45 
encrypted data is decrypted by a decryption apparatus 1412 
according to the invention by using key data (K) 1415. In the 
processing procedure described above, IC (integrated 
circuit) cards 1410 and 1417 may be employed for managing 
the user information and the key data. 50 

When the contents data is to be transferred from the 
personal computer (C) 1411 to the network, the user iden- 
tification information (IDC) 1414 issued by the copyright 
managing facility 1418 is embedded in the contents data as 



40 



embodiment of the present invention. Referring to the figure, 
a contents provider 1401 registers copyright information at 
a copyright managing facility 1418 and obtains contents 
identification information (IDA) 1402. The contents data 
having the contents identification information IDA embed- 
ded as electronic transparent information or watermark is 
sent to a broadcasting center 1801 and encrypted by means 
of an existing encryption apparatus 1802 to be subsequently 
broadcast toward home-use-destined electric/electronic 
equipment. In the home-use -destined electric/electronic 
equipment, the broadcast data as received is decrypted by 
means of an existing decryption apparatus 1803. In that case, 
the home-use-destined electric/electronic equipment is 
equipped with an encryption apparatus 1406 incarnating the 
teachings of the present invention. Thereafter, the contents 
data is distributed or circulated in a manner similar to the 
case illustrated in FIG. 18. 

As is apparent from the above, it is possible to structurize 
a distribution/circulation system for digital contents by 
combining the encrypting conversion system according to 
the invention with the existing encrypting conversion sys- 
tem such as the digital satellite broadcasting system. In other 
words, the present invention can find application over a wide 
range of media such as package media, broadcasting media, 
communication media, etc. 

Finally, it should be added that the present invention 
provides encryption systems or schemes which ensure 
highly enhanced randomness. 
What is claimed is: 

1. An encrypting conversion apparatus in which at least 
one key and plain text data are inpuued, the inputted plain 
text is divided into a first data and a second data, said first 
data and said second data are set as a first initial data L[l] 
and a second initial data R[l], an encrypting conversion 
processing is repeated at least twice using the same function 
to receive data LCN] and data R[N] and output data L[N+1] 
and data R[N+1], respectively, wherem N is a natural 
number, and a combination of the two output data from a 



the electronic transparent information in the personal com- 55 fi"^> ^^^^ °f ^he encrypting conversion processing is pro- 



puter (C) 1411, whereon the contents data incorporating the 
electronic transparent information is encrypted with key data 
(K) 1415 by the encryption apparatus 1413 incarnating the 
teachings of the invention. FIG. 21 is a view showing 
schematically and illustratively the contents data transmitted 
along a path 1416, which contains the contents identification 
information (IDA) 1402, the user identification information 
(IDB) 1407 and the user identification information (IDC) 
1414 as the electronic transparent information. In the pro- 
cessing procedure described above, IC card 1417 may be 
employed for managing the user information and the key 
data. 



vidcd as an encrypted text, comprising: 

cyclic shift processing means for performing a cyclic shift 
processing based on a shift number determined by data 
for determining a shift number selecting sequence, said 
shift number being independent from the plain text 
data; and 

said cyclic shift processing means including at least two 
diff^erent fixed cyclic shift processing means each for 
performing cyclic shift by a fixed number of bits 
65 leftward or alternatively rightward, cychc shift process- 
ing selecting means for selecting said fixed cyclic shift 
processing means, and cyclic shift processing sequence 



03/10/2004, EAST version: 1.4.1 



us 6,606385 Bl 



15 



16 



determining means for determiaing a selecting 
sequence for said cyclic shift processing selecting 
means on the basis of said data for determining a shift 
number selecting sequence; 
encrypting conversion processing means for perfonning 
at least once for said data L[N] a conversion processing 
by using said key and a cyclic shift processing using 
said cycUc shift processing means, respectively, to 
thereby generate data X, and arithmetically operating 
said data R[N] and said data X to obtain a value for said 
data L[N4-1] and set said data L[N] for said data 
R[N+1]. 

2. An encrypting conversion apparatus according to claim 

said cyclic shift processing sequence determining means 
being so arranged as to select at least two of said fixed 
cyclic shift processing means in accordance with the 
sequence determined by said cyclic shift processing 
sequence determining means; 

said cyclic shift processing sequence determining means 
being so arranged as to determine the cyclic shift 
processing sequence which differs from one to another 
stage of said encrypting conversion processing means 
in response to input values of bit strings of the data, 
respectively, for thereby determining said shift number, 
said input values of said bit strings differing from one 
to another stage of said encrypting conversion process- 
ing means; and 

said encrypting conversion processing means being so 
arranged as to perform block-based encrypting conver- 
sions which differ from one to another stage of said 
encrypting conversion processing means. 

3. An encrypting conversion apparatus according to claim 
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wherein said fixed cyclic shift processing means is con- 
stjtuted by a wired logic circuit. 

4. An encrypting conversion apparatus according to claim 

wherein said cyclic shift processing selecting means is 
constituted by a multiplexer. 40 

5. An encrypting conversion apparatus according to claim 

wherein said cyclic shift processing sequence determining 
means is implemented by a cyclic shift processing 
sequence generating circuit which makes internal status 45 
transition in response to a synchronizing signal by 
using said cyclic shift determining data as initial values 
of internal statuses and input signals for thereby ou(- 
putling conU'oi input signals for said cyclic shift pro- 
cessing selecting means. 50 

6. An encrypting conversion apparatus according to claim 

wherein said fixed cyclic shift processing means, said 
cyclic shift processing means and said cyclic shift 



7, 



cydic shift processing means for performing a cyclic shift 
processing based on a shift number determined by data 
for detennining a shift number selecting sequence, said 
shift number being independent from the plain text 
data; and 

said cyclic shift processing means including at least two 
different fixed cyclic shift processing means each for 
performing cyclic shift by a fixed number of bits 
leftward or alternatively rightward, cyclic shift process- 
ing selecting means for selecting said fixed cyclic shift 
processing means, and cyclic shift processing sequence 
determining means for determining a selecting 
sequence for said cyclic shift processing selecting 
means on the basis of said data for determining a shift 
number selecting sequence; 

decrypting conversion processing means for performing 
at least once for said data L[N] a conversion processing 
by using said key and a cyclic shift processing using 
said cyclic shift processing means, respectively, to 
thereby generate data X, and arithmetically operating 
said data R[N] and said data X to obtain a value for said 
data L[N+1] and set said data L(N] for said data 
R[N+1]. 

8. A decrypting conversion apparatxis according to claim 

said cyclic shift processing sequence determining means 
being so arranged as to select at least two of said fixed 
cyclic shift processing means in accordance with the 
sequence determined by said cyclic shift sequence 
determining means; 

said cyclic shift processing sequence determining means 
being so arranged as to determine the cyclic shift 
processing sequence which differs from one to another 
stage of said decrypting conversion processing means 
in response to input values of bit strings of the data, 
respectively, for thereby determining said shift number, 
said input values of said bit strings differing from one 
to another stage of said decrypting conversion process- 
ing means; and 

said decrypting conversion processing means being 
arranged so as to perform block-based decrypting con- 
version processings which differ from one to another 
stage of said decrypting conversion processing means. 

9. A decrypting conversion apparatus according to claim 

wherein said cyclic shift processing sequence determining 
means is implemented by a cyclic shift processing 
sequence generating circuit which makes internal status 
transit in response to a synchronizing signal by using 
said cyclic shift determining data as initial values of 
internal statuses and input signals for thereby output- 
ting a control input signal for said cyclic shift process- 
ing selecting means. 



^ • «,o<,«o <c 10. An encrypting conversion method of generating 

processmg sequence dcterminmg means are each 55 , " . , . l. . 1 f 

implemented in software. encrypted text data, compnsmg m corabmation the steps of: 

inputting at least one key and plain text data, dividing the 
inputted plain text into a first data and a second data; 
setting said first data and said second data as a first initial 

data L[l] and a second initial data R[l]; 
repeating at least twice an encrypting conversion process- 
ing using the same function to receive data L[N] and 
data R[N] and output data L(N+1] and data R[N+1], 
respectively, where N is a natural number; 
65 providing a combination of the two output data from a 
final stage of the encrypting conversion processing is 
provided as an encrypted text; 



implemented 

7. Adecrypling conversion apparatus in which at least one 
key and encrypted text data arc inputted, the inputted 
encrypted text is divided into a first data and a second data, 
said first data and said second data are set as a first initial 
data L[l] and a second initial data R[l], a decrypting 
conversion processing is repeated at least twice using the 
same function to receive data L(N] and data R[N] and output 
data L(N+1] and data R[N+1], rcspeaively, wherein N is a 
natural number, and a combination of the two output data 
from a final stage of the decrypting conversion processing is 
provided as plain text data, comprising: 
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performing a cyclic shift processing based on a shift 
number by data for determining a shifl number, said 
shift number being independent from the plain text 
data; 

performing at least once for said data L[N], a conversion 5 
processing by using said key and a cyclic shift pro- 
cessing using said cyclic shift processing performing 
step, respectively, to thereby generate data X; 

arithmetically operating said data R[N] and said data X to 
obtain a value for said data L(N+1] and set said data 
L[N] for said data R[N+1]; and 

wherein the data for determining the shift number is made 
to differ between at least two encrypting conversion 
processings. 

11, A decrypting conversion method of generating plain 
text data, comprising in combination the steps of: 

inputting at least one key and encrypted text data, dividing 
the inputted encrypted text into a first data and a second 
data; ^ 

setting said first data and said second data as a first initial 
data L[l] and a second initial data R[l]; 

repeating at least twice a decrypting conversion process- 
ing using the same function to receive data L[N] and 
data R[N] and output data L[N+1] and data R[N+1], 25 
respectively, where N is a natural number; 

providing a combination of the two output data from a 
final stage of the decrypting conversion processing as 
plain text; 

performing a cyclic shift processing based on a shift 
number by data for determining a shift number, said 
shift number being independent from the plain text 
data; 

performing at least once for said data L[N], a conversion 
processing by using said key and a cyclic shift pro- 
cessing using said cyclic shift processing performing 
step, respectively, to thereby generate data X; and 

arithmetically operating said data R[N] and said data X to 
obtain a value for said data L(N+1] and set said data 
L[N] for said data R[N+1]; 

wherein the data for determining the shift number is made 
to differ between at least two decrypting conversion 
processings. 

12. A computer program for generating encrypted text 45 
data in which at least one key and plain text data are 
inputted, the inputted plain text is divided into a first data 
and a second data, said first data and said second data are set 

as a first initial data L{1] and a second initial data R[l], an 
encrypting conversion processing is repeated at least twice jq 
using the same function to receive data L[N] and data R[N] 
and output data L[N+1] and data R[N+1], respectively, 
wherein N is a natural number, and a combination of the two 
output data from a final stage of the encrypting conversion 
processing is provided as an encrypted text, the computer 55 
program stored on a computer- readable medium and com- 
prising: 

instructions for performing a cyclic shift processing for 
performing a cyclic shift processing based on a shift 
number determined by data for determining a shift 
number, said shift number being independent from the 
plain text data; 

instructions for performing at least once for said date 
L[N] an encrypting conversion processing by using 
said key and a cyclic shift processing using said cyclic 65 
shift processing means, respectively, to thereby gener- 
ate data X, and arithmetically operating said data R[N] 
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and said data X to obtain a value for said data L(N+1] 
and set said data L[N] for said data R[N+1]; and 
wherein the data for determining the shift number is made 
to differ between at least two encrypting conversion 
processings. 

13. A computer program for generating plain text data in 
which at least one key and encrypted text data are inputted, 
the inputted encrypted text is divided into a first data and a 
second data, said first data and said second data are set as a 
first initial data L[l] and a second initial data R[l], a 
decrypting conversion processing is repeated at least twice 
using the same function to receive data L[N] and data R[N] 
and ou^ut data L[N+1] and data R[N+1], respectively, 
wherein N is a natural number, and a combination of the two 
output data from a final stage of the decrypting conversion 
processing is provided as plain text, the computer program 
stored on a computer-readable medium and comprising: 

instructions for performing a cyclic shift processing for 
performing a cyclic shift processing based on a shift 
number determined by data for determining a shift 
number, said shift number being independent from the 
plain text data; 

instructions for performing at least once for said data 
L[N] a decrypting conversion processing by using said 
key and a cyclic shift processing using said cyclic shift 
processing means, respectively, to thereby generate 
data X, and arithmetically operating said data R[N] and 
said data X to obtain a value for said data L[N4l] and 
set said data I-[N] for said data R[N+1]; and 

wherein the data for determining the shift number is made 
to differ between at least two decrypting conversion 
processings. 

14. An encrypting conversion apparatus for inputting at 
least one cipher key and plain text data and output ting cipher 
text data, the encrypting conversion apparatus comprising: 

a plurality of stages of encrypting conversion means for 
performing a first conversion for substituting different 
data for at least the plain text data and a second 
conversion for rearranging bits of the data, 

wherein said encrypting conversion means executes either 
an exclusive logical sum operation or ah addition 
operation of input data and first data generated from the 
cipher key, thereafter executes said first conversion and 
said second conversion, thereafter executes either an 
exclusive logical sum operation or an addition opera- 
tion of the input data and second data generated from 
the cipher key, and thereafter executes said first con- 
version; and 

wherein encrypting conversion processing performed by 
said encrypting conversion means is repeated at least 
twice using the same function; 

wherein the data for determining the shift number is made 
to differ between at least two encrypting conversion 
processings by said encrypting conversion processing 
means. 

15. A decrypting conversion apparatus for inputting at 
least one cipher key and cipher text data and outputting plain 
text data, the decrypting conversion apparatus comprising: 

a plurality of stages of decrypting conversion means for 
performing a first conversion for substituting different 
data for at least the cipher text data and a second 
conversion for rearranging bits of the data, 

wherein said decrypting conversion means executes either 
an exclusive logical sum operation or an addition 
operation of input data and first data generated from the 
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cipher key, thereafter executes said first conversion and 
said second conversion, thereafter executes either aa 
exclusive logical sum operation or an addition opera- 
tion of the input data and second data generated from 
the cipher key, and thereafter executes said first con- 
version; and 

wherein decrypting conversion processing performed by 
said decrypting conversion means is repeated at least 
twice using the same function; 

wherein the data for determining the shift number is made 
to differ between at least two decrypting conversion 
processings by said decrypting conversion processing 
means. 

16. An encrypting conversion apparatus in which at least 
one key and plain text data are inputted, the inputted plain 
text is divided into a first data and a second data, said first 
data and said second data arc set as a first initial data L[l] 
and a second initial data R[l], an encrypting conversion 
processing is repealed at least twice using the same function 
to receive data ^N] and data R[N] and output data L[N+1] 
and data R[N+1], respectively, wherein N is a natural 
number, and a combination of (he two output data from a 
final stage of the encrypting conversion processing is pro- 
vided as an encrypted text, comprising: 

a cyclic shift processor, which performs a cyclic shift 
processing based on a shift number determined by data 
for determining a shift number selecting sequence, said 
shift number being independent from the plain text 
data, 

said cyclic shift processor including at least two different 
fixed cyclic shift processors, each of which performs 
cyclic shift by a fixed number of bits leftward or 
alternatively rightward, a cyclic shift processing 
selector, which selects said fixed cyclic shift 
processors, and a cyclic shift processing sequence 
determining device, which determines a selecting 
sequence for said cychc shift processing selector on the 
basis of said data for determining a shift number 
selecting sequence; and 

an encrypting conversion processor, which performs at 
least once for said data L(N] a conversion processing 
by using said key and a cyclic shift processing using 
said cyclic shift processor, respectively, to thereby 
generate data X, and arithmetically operating said data 
R[N] and said data X to obtain a value for said data 
L[N+1] and set said data LfN] for said data R[N+1]. 



17. An encrypting conversion apparams according to 
claim 16, 

wherein said cyclic shift processing sequence determining 
device is so arranged as to select at least two of said 

^ fixed cyclic shift processors in accordance with the 
sequence determined by said cyclic shift processing 
sequence determining means; 
said cyclic shift processing sequence determining device 

10 being so arranged as to determine the cyclic shift 
processing sequence which differs from one to another 
stage of said encrypting conversion processor means in 
response to input values of bit strings of the data, 
respectively, for thereby determining said shift number, 

15 said input values of said bit strings differing fi^om one 
to another stage of said encrypting conversion proces- 
sor; and 

said encrypting conversion processor being so arranged as 
to perform block-based encrypting conversions which 
differ firom one to another stage of said encrypting 
conversion processor. 

18. An encrypting conversion apparatus according to 
claim 16, 

wherein said fixed cyclic shift processors are constituted 
by a wired logic circuit. 

19. An encrypting conversion apparatus according to 
claim 16, 

wherein said cyclic shift processing selector is constituted 
by a multiplexer. 

20. An encrypting conversion apparatus according to 
claim 16, 

wherein said cyclic shift processing sequence dclcrmining 
device is implemented by a cyclic shift processing 
sequence generating circuit which makes internal status 
transition in response to a synchronizing signal by 
lising said cyclic shift determining data as initial values 
of international statuses and irrput signals for thereby 
outputting control input signals for said cyclic shift 
40 processing selector. 

21. An encrypting conversion apparatus according to 
claim 16, 

wherein said fixed cyclic shift processors, said cyclic shift 
processor and said cyclic shift processing sequence 
45 determining device arc each implemented in software. 
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